pfSense Forum

pfSense English Support => OpenVPN => Topic started by: setchi on January 17, 2012, 03:00:33 pm

Title: OpenVPN without username/password
Post by: setchi on January 17, 2012, 03:00:33 pm
Is it possible to use the user manager just to create/maintain certificates and keys.
I want my OpenVPN to NOT ask for username and password during connection and just
authenticate the user by the key and certificate.

Is there a howto or guide to setup OpenVPN on pfSense 2.0.1 without passwords?

Thanks,
Florian
Title: Re: OpenVPN without username/password
Post by: jimp on January 24, 2012, 09:02:21 am
Sure, just setup the OpenVPN server type as "SSL/TLS" (no auth) and then add certificates in the Cert Manager, you can still export client installers that way. They are not tied to usernames, just certificates. You don't need to add users since they do not need usernames and passwords.
Title: Re: OpenVPN without username/password
Post by: nexusN on June 11, 2012, 12:51:53 am
Sure, just setup the OpenVPN server type as "SSL/TLS" (no auth) and then add certificates in the Cert Manager, you can still export client installers that way. They are not tied to usernames, just certificates. You don't need to add users since they do not need usernames and passwords.

I am doing this, SSL/TLS only without User Auth, for a portion of VPN users(anonymously for some forum friends) ........ but I do have a worry on the safety of the connection. :(
The above is used because when someone is going to spread the credentials, it has no difference if I actually use User Auth or not.
No User Auth seems to be more convenient for them in connecting. ;D

Would the connection in this way less secure than having User Auth? ???
Title: Re: OpenVPN without username/password
Post by: jimp on June 11, 2012, 09:42:08 am
It depends on what you mean by "secure".

The level of encryption would be the same, with or without user authentication.

User authentication is an extra layer of prevention to keep out unauthorized access.

So in terms of access control, not having user auth makes it less secure.
But in terms of encryption, the security would be equivalent.
Title: Re: OpenVPN without username/password
Post by: nexusN on June 15, 2012, 01:42:41 am
It depends on what you mean by "secure".

The level of encryption would be the same, with or without user authentication.

User authentication is an extra layer of prevention to keep out unauthorized access.

So in terms of access control, not having user auth makes it less secure.
But in terms of encryption, the security would be equivalent.

Sorry for getting back to you late, my question has been well answered :D
In that way I should keep my current practice of having no user auth :P for the encryption being the same level.
Title: Re: OpenVPN without username/password
Post by: jimp on June 15, 2012, 06:36:52 am
All you need to do is change the mode of the VPN from SSL/TLS+User Auth to simply SSL/TLS - then no auth will be required, but the rest of the settings can stay the same.
Title: Re: OpenVPN without username/password
Post by: nexusN on June 19, 2012, 11:45:02 pm
All you need to do is change the mode of the VPN from SSL/TLS+User Auth to simply SSL/TLS - then no auth will be required, but the rest of the settings can stay the same.
Yes, I did exactly the same and it works like a charm :D
Title: Re: OpenVPN without username/password
Post by: da_zhuang on August 02, 2012, 04:24:10 pm
Dear Jimp:

I'm very new to openvpn and I'm not sure how to change the mode of the VPN from SSL/TLS+User Auth to simply SSL/TLS? Do I just modify the config file or do I need to reinstall with some other options enabled? Thanks.
Title: Re: OpenVPN without username/password
Post by: marvosa on August 02, 2012, 06:09:03 pm
da_zhuang,
Edit your OpenVPN server, on the Server tab in the General information section use the drop down menu to change the Server Mode option to Remote Access (SSL/TLS).
Title: Re: OpenVPN without username/password
Post by: hugolia on April 16, 2013, 09:49:18 am
Is it possible to have User/password for some users but not for all?
I am using OpenVPN for RoadWarriors users (mostly notebooks). But now I need to setup a connection to a site where I will have a server with a daemon client to establish the VPN between sites.

Title: Re: OpenVPN without username/password
Post by: marvosa on April 16, 2013, 10:02:03 am
hugolia,
Yes.  Just configure a 2nd server on a different port.
Title: Re: OpenVPN without username/password
Post by: jimp on April 16, 2013, 10:03:12 am
Is it possible to have User/password for some users but not for all?
I am using OpenVPN for RoadWarriors users (mostly notebooks). But now I need to setup a connection to a site where I will have a server with a daemon client to establish the VPN between sites.

Yes, but they would need to use separate server instances. You can have one server that does user/pass, one that does not, and others for site-to-site VPNs.

Any more detail than that belongs in its own thread specific to your implementation, though, so if you need more help than that, feel free to start a fresh thread and ask.